[Image] [Image] [Image][Image] [Image] [Image] [Image][Image] [Image] [Image]
 [Javology]
 ------------------------------------------------------------------------------
 [Breaking News]      Mocha Decompiler

                      Anything that can be compiled can also be
                      decompiled, and Mocha has reached this inevitable
                      goal. Although a rudmimentary decompiler is
                      included with the JDK (javap), it only enumerates
                      method signatures. Mocha actually uses the
                      extensive symbol information present in class files
                      to produce human-readable source code.

                      Freely downloadable from the Mocha Web site, it can
                      handle fairly complex programs without breaking a
                      sweat. As an example, its author decompiled the
                      GraphLayout example that ships with the JDK and
                      compared the result with the provided code. They
                      are remarkably similar; variable names are
                      retained, and only the order of certain
                      declarations changed significantly.

                      This development opens a can of worms for every
                      Java programmer. While reverse engineering can be
                      used for purposes as innocent as "how did they do
                      that?", its potential for piracy and industrial
                      espionage is clear. Mocha's author explicitly
                      forbids such abuse of the product, but criminals
                      who laugh at the law are no more likely to heed
                      this warning. The question then becomes, how can
                      commercial software be protected from
                      decompilation?

                      The author suggests one feasible solution: using
                      Java to build the frontend of a program, and hiding
                      critical data in a backend which lives elsewhere on
                      a server. This is inconvenient, increasing server
                      load, but it does save the user from long download
                      times. He also points out that classes with large
                      amounts of useless code (unused local variables and
                      methods) can confuse Mocha. The only sure-fire way
                      to prevent reverse engineering, however, is an
                      embeded encryption scheme on the order of RSA's
                      algorithms, and this has not been developed for
                      Java yet.

                      Mocha provides a world of legal functionality:
                      recovering lost source code and learning
                      programming techniques from others. What becomes of
                      its destructive potential is entirely up to its
                      users. Such a tool is needed and welcomed by many;
                      but developers should keep in mind that compilation
                      is no longer a surefire protection of company
                      secrets.

                      Kerry Hammil, khammil@primenet.com

----------------------------------------------------------------------------
| Top | News | Contents |
----------------------------------------------------------------------------
© 1996 Javology